Add CsrfServerLogoutHandler

Create a CsrfServerLogoutHandler which invalidates the current CsrfToken Fixes gh-4840
2018-05-10 15:18:02 -04:00 · 2018-05-10 15:18:02 -04:00 · 26f53a20b3
parent 21750242cf
commit 26f53a20b3
2 changed files with 118 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfServerLogoutHandler.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfServerLogoutHandler.java
@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.csrf;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
+import org.springframework.util.Assert;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * {@link CsrfServerLogoutHandler} is in charge of removing the {@link CsrfToken} upon logout. A
+ * new {@link CsrfToken} will then be generated by the framework upon the next request.
+ *
+ * @author Eric Deandrea
+ * @since 5.1
+ */
+public class CsrfServerLogoutHandler implements ServerLogoutHandler {
+	private final ServerCsrfTokenRepository csrfTokenRepository;
+
+	/**
+	 * Creates a new instance
+	 * @param csrfTokenRepository The {@link ServerCsrfTokenRepository} to use
+	 */
+	public CsrfServerLogoutHandler(ServerCsrfTokenRepository csrfTokenRepository) {
+		Assert.notNull(csrfTokenRepository, "csrfTokenRepository cannot be null");
+		this.csrfTokenRepository = csrfTokenRepository;
+	}
+
+	/**
+	 * Clears the {@link CsrfToken}
+	 *
+	 * @param exchange the exchange
+	 * @param authentication the {@link Authentication}
+	 * @return A completion notification (success or error)
+	 */
+	@Override
+	public Mono<Void> logout(WebFilterExchange exchange, Authentication authentication) {
+		return this.csrfTokenRepository.saveToken(exchange.getExchange(), null);
+	}
+}
--- a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfServerLogoutHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfServerLogoutHandlerTests.java
@ -0,0 +1,62 @@
+package org.springframework.security.web.server.csrf;
+
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.Mockito.*;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.web.server.MockServerWebExchange;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.web.server.WebFilterChain;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Eric Deandrea
+ * @since 5.1
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class CsrfServerLogoutHandlerTests {
+	@Mock
+	private ServerCsrfTokenRepository csrfTokenRepository;
+
+	@Mock
+	private WebFilterChain filterChain;
+
+	private MockServerWebExchange exchange;
+
+	private WebFilterExchange filterExchange;
+
+	private CsrfServerLogoutHandler handler;
+
+	@Before
+	public void setup() {
+		this.exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
+		this.filterExchange = new WebFilterExchange(this.exchange, this.filterChain);
+		this.handler = new CsrfServerLogoutHandler(this.csrfTokenRepository);
+		when(this.csrfTokenRepository.saveToken(this.exchange, null)).thenReturn(Mono.empty());
+	}
+
+	@Test
+	public void constructorNullCsrfTokenRepository() {
+		assertThatExceptionOfType(IllegalArgumentException.class)
+				.isThrownBy(() -> new CsrfServerLogoutHandler(null))
+				.withMessage("csrfTokenRepository cannot be null")
+				.withNoCause();
+	}
+
+	@Test
+	public void logoutRemovesCsrfToken() {
+		this.handler.logout(
+				this.filterExchange,
+				new TestingAuthenticationToken("user", "password", "ROLE_USER")).block();
+
+		verify(this.csrfTokenRepository).saveToken(this.exchange, null);
+	}
+}